Privacy First: All calculations happen in your browser. No data is sent to any server. Your answers stay on your device.
Why Most Backup Strategies Fail
Industry data from Veeam, Backblaze, and leading disaster recovery research.
of backups fail during actual restore. You won't know until disaster strikes.
Source: Backblaze
of ransomware attacks now target backup repositories. Immutable storage is critical.
Source: Veeam 2025
of businesses without backups close within 6 months of major data loss.
Source: National Archives & Records Administration
Without monitoring, backup failures go unnoticed until you need to restore.
Industry standard
Common Questions
We use Dropbox/Google Drive. Isn't that a backup?
No. Cloud sync ≠ backup.
If you delete a file or ransomware encrypts it, sync services propagate that deletion/encryption everywhere instantly. Within seconds, your "backup" is gone too.
You need versioned, immutable backups that can't be modified or deleted—even by ransomware or accidental user actions.
My developer says we have backups. Why verify?
Because 45% of backups fail when you actually need to restore (Backblaze research).
Most backup systems run silently. No news feels like good news. Until disaster strikes and you discover your backups haven't worked in 6 months.
The only way to know is to test restores regularly AND have automated monitoring that alerts you to failures within 24 hours.
How much does proper backup cost?
Basic cloud backup: €50-200/month for most small businesses
Complete data loss: 60% of businesses shut down within 6 months (National Archives & Records Administration). The ones that survive spend €50,000-€500,000+ on recovery attempts with only 55% success rate.
ROI: One prevented disaster pays for decades of proper backups.
Not having backups doesn't save money. It's gambling your entire business on never having a disaster.
What's the difference between 3-2-1 and modern requirements?
The 3-2-1 rule (3 copies, 2 media types, 1 offsite) is still the foundation. But 2025 adds critical requirements:
- Immutability: Ransomware now targets backups. You need immutable (unchangeable) copies.
- Automated monitoring: Silent failures are too common. You need alerts within 24 hours.
- Encryption: GDPR/HIPAA/PCI-DSS now require encrypted backups. Unencrypted = compliance violation.
- Documentation: If only you know how to restore, what happens during a crisis when you're unavailable?
Think of it as 3-2-1 + modern threat protection.
How often should I test my backups?
Minimum: Quarterly (every 3 months)
Better: Monthly for critical systems
Best: Automated verification after every backup
Testing isn't optional—it's the only way to know your backups actually work. Schedule it like a fire drill. Put it on the calendar. Make it routine.
The worst time to discover your backups don't work is when you desperately need them.
What This Tool Actually Checks
This assessment evaluates 9 critical aspects of your backup strategy against both the classic 3-2-1 rule and modern 2025 requirements.
Number of Copies (3-2-1 Rule)
Foundation: 3 copies of your data
Number of Copies (3-2-1 Rule)
Foundation: 3 copies of your data
The "3" in 3-2-1: You need at least 3 copies of your data—one primary working copy plus two backups.
Why? Single points of failure. If you only have your production data and one backup, a single disaster (fire, ransomware, hardware failure) could destroy both.
Real scenario: Office fire destroys server and the backup drive sitting next to it. No third copy = complete data loss.
Impact: Zero redundancy means 100% data loss from a single disaster.
Storage Locations (3-2-1 Rule)
The "1": One copy offsite
Storage Locations (3-2-1 Rule)
The "1": One copy offsite
If all your backups are in the same physical location as your production systems, what happens when that location becomes unavailable?
Fire, flood, theft, power outage, ransomware spreading through your network—all these threats affect everything in one location simultaneously.
Geographic separation is critical. At least one backup must be far enough away that a local disaster can't reach it.
Impact: Same location = 100% vulnerability to local disasters (fire, flood, theft, ransomware).
Media Types (3-2-1 Rule)
The "2": Two different storage media
Media Types (3-2-1 Rule)
The "2": Two different storage media
Don't put all your eggs in one basket—or all your backups on one type of storage.
If all your backups are on the same type of media (all hard drives, all tape, all cloud), a vulnerability in that technology affects everything.
Examples of media diversity: Local NAS + cloud storage. External drives + tape. Disk + object storage.
Impact: Media-specific failures (controller failure, ransomware exploiting cloud API, format obsolescence) can't wipe out all backups if you use different types.
Restore Testing
Untested backups = Schrödinger's backups
Restore Testing
Untested backups = Schrödinger's backups
A backup you've never tested is simultaneously working and broken—you won't know until you desperately need it.
45% of backups fail during actual restore attempts (Backblaze). Configuration errors, corrupted data, missing dependencies, incompatible formats, expired credentials...
The only way to know your backups work is to actually restore from them. Regularly. Quarterly minimum.
Impact: Discovering your backups don't work during a disaster = discovering you have no backups.
Backup Automation
Manual backups fail because humans forget
Backup Automation
Manual backups fail because humans forget
"I'll do it tomorrow" becomes "I'll do it next week" becomes "I haven't backed up in 3 months."
Manual backups sound fine until you're busy, you're on vacation, you're sick, or you simply forget. One missed backup is all it takes.
Automated backups run whether you remember or not. Daily, continuous, scheduled—they happen without human intervention.
Impact: Manual processes fail. Automation ensures backups happen consistently, reliably, on schedule.
Immutability (Ransomware Protection)
2025 requirement: Backups ransomware can't touch
Immutability (Ransomware Protection)
2025 requirement: Backups ransomware can't touch
89% of ransomware attacks now target backup repositories (Veeam 2025 Ransomware Trends Report). Why? Because ransomware operators know that if you can restore from backups, you won't pay the ransom.
Immutable backups use write-once-read-many (WORM) storage. Once written, they cannot be modified or deleted—not by you, not by ransomware, not by anyone—until a retention period expires.
Technologies: AWS S3 Object Lock, Azure Immutable Blobs, Backblaze B2 retention, tape storage.
Impact: Ransomware can encrypt your production data AND your regular backups. Immutable backups are your last line of defense.
Monitoring & Alerts
2025 requirement: Know when backups fail
Monitoring & Alerts
2025 requirement: Know when backups fail
Most backup failures are silent. The system reports "success" but the backup is corrupted, incomplete, or inaccessible.
Without automated monitoring, you won't discover the failure until disaster strikes and you try to restore—weeks or months after the backups stopped working.
Proper monitoring alerts you within 24 hours when backups fail, when storage fills up, when retention policies aren't met, when restore tests fail.
Impact: Early detection means you can fix backup failures before they matter. Silent failures mean discovering your backups don't work when it's too late.
Encryption
2025 requirement: GDPR/HIPAA compliance
Encryption
2025 requirement: GDPR/HIPAA compliance
Encryption is required by HIPAA and PCI-DSS, and is considered a necessary safeguard under GDPR Article 32 for most use cases. Unencrypted backups are also a security risk—if someone steals your backup media, they have your data.
You need encryption in two places:
- At rest: Backup files stored encrypted (AES-256 standard per FIPS 140-3)
- In transit: Encrypted while transferring to storage (TLS 1.2+)
Key management is critical: Store encryption keys separately from backups (otherwise anyone who steals backups also gets the keys).
Impact: Unencrypted backups = compliance violations, potential fines, data breaches from stolen media.
Recovery Documentation
2025 requirement: Bus factor protection
Recovery Documentation
2025 requirement: Bus factor protection
You know how to restore from backups. Great. But what happens when disaster strikes and you're unavailable? Sick, on vacation, hit by a bus, unreachable?
If only you know how to restore, your backups are effectively useless when you're not there.
Documented, tested recovery procedures mean anyone on your team (or an emergency consultant) can restore your systems following step-by-step instructions.
Documentation should include: Where backups are stored, how to access them, authentication credentials (stored securely), restore commands/procedures, validation steps, who to contact.
Impact: Bus factor = 1 means one person becoming unavailable during a crisis could mean your business can't recover.
Backup Health Check
of questions
Has This Happened to You?
Real backup disasters and what you can learn from them before it's too late.
50 Questions for Your Developer
Copy/paste ready backup and infrastructure questions to uncover hidden risks
→7 Infrastructure Problems Your Developer Isn't Mentioning
Critical backup and disaster recovery issues that pile up silently
→Is Your Infrastructure Actually Broken?
Real data vs developer excuses—including backup failures
→Your Backup Health Report
3-2-1 Rule Compliance
🛡️ Protection Against Modern Threats
How well-protected are you against the biggest risks in 2025?
💥 Risk Level
📋 Fix It: Prioritized Action Plan
💰 Cost of Doing Nothing
Need Help Implementing These Fixes?
We can set up a proper 3-2-1 backup strategy for you in under a week.
Get Free Backup Assessment